A 20-year-old man was responsible for the massive data breach at Uber last year, and the company paid him to destroy the data through its bug bounty program, reports Reuters. In November, Uber revealed it suffered from a cyberattack in October 2016 that exposed the private data of 57 million drivers and customers, which it then covered up. Uber allegedly paid hackers a $100,000 ransom to delete the data and not disclose what had happened to the media and public. The company didn’t say how the hacker was paid, or who he was.

sources say former CEO Travis Kalanick knew about the breach and cover-up payment

Sources have now told Reuters that payment to the hacker was made through its bounty program, which monetarily rewards those who find bugs in the company’s software and applications. Hackers and security researchers are typically paid thousands of dollars for bugs they find, depending on their severity. The sources claim that former CEO Travis Kalanick knew about the breach and bug bounty payment, but it’s unclear who authorized payment to the hacker.

Furthermore, Reuters reports that “Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing.” The company also reportedly ensured the data was deleted by undergoing a forensic analysis of the hacker’s computer. The hacker is described in the report as “living with his mom in a small home trying to help pay the bills,” and the report notes one source saying Uber didn’t want to prosecute an “individual who did not appear to pose a further threat.”

We’ve reached out to Uber for comment and will update when we hear back.